Workflows / Github / dependabot_alert

GitHub Dependabot Alert Notification to Slack & Email

Use the Github integration by MagicBell to setup a workflow when dependabot_alert triggers in Github.

Connect Github to MagicBell to receive events and trigger workflows. This guide uses the MagicBell CLI.

Add the Github integration

Save your Github webhook signing secret in MagicBell. See GitHub webhooks.

magicbell integration save_github \
  --data '{"webhook_signing_secret":"your_secret_here"}'

Copy the ID from the response and use it to build your webhook URL:

https://api.magicbell.com/v2/integrations/github/webhooks/incoming/{id}

Setup the webhook

  • Setup a webhook in Github with the URL from the last step.
  • Select the dependabot_alert event.
  • If you already have a webhook configured, make sure it includes this event.

Add a workflow

Create a workflow that triggers automatically when Github sends this event.

Workflow key

Use this key to trigger the workflow when Github sends a dependabot_alert event:

integration.github.dependabot_alert

Filter by action: GitHub sends the event type in the header and the action in the payload body. Use an if condition to filter for the created action:

"if": "payload.action == 'created'"

Example workflow

Notify security team when Dependabot detects a vulnerability.

{
  "key": "integration.github.dependabot_alert.created",
  "steps": [
    {
      "command": "broadcast",
      "input": {
        "action_url": "{{payload.alert.html_url}}",
        "content": "{{payload.alert.security_vulnerability.severity}} severity vulnerability found in {{payload.alert.dependency.package.name}} ({{payload.alert.dependency.package.ecosystem}}) in {{payload.repository.full_name}}.",
        "overrides": {
          "providers": {
            "email": {},
            "slack": {}
          }
        },
        "recipients": [
          {
            "external_id": "security-team"
          }
        ],
        "title": "Security Alert: {{payload.alert.security_advisory.summary}}"
      }
    }
  ]
}

Save with the CLI

Use the MagicBell CLI to save this workflow to your project. You can also use the Workflows API endpoint instead.

magicbell workflow save \
  --data '{"key":"integration.github.dependabot_alert.created","steps":[{"command":"broadcast","input":{"action_url":"{{payload.alert.html_url}}","content":"{{payload.alert.security_vulnerability.severity}} severity vulnerability found in {{payload.alert.dependency.package.name}} ({{payload.alert.dependency.package.ecosystem}}) in {{payload.repository.full_name}}.","overrides":{"providers":{"email":{},"slack":{}}},"recipients":[{"external_id":"security-team"}],"title":"Security Alert: {{payload.alert.security_advisory.summary}}"}}]}'

Event payload

Sample payload for the dependabot_alert event. Use liquid templates to access fields in your workflow.

{
  "action": "created",
  "alert": {
    "auto_dismissed_at": null,
    "created_at": "2025-01-15T10:00:00Z",
    "dependency": {
      "manifest_path": "package-lock.json",
      "package": {
        "ecosystem": "npm",
        "name": "lodash"
      },
      "scope": "runtime"
    },
    "dismissed_at": null,
    "dismissed_by": null,
    "dismissed_comment": null,
    "dismissed_reason": null,
    "fixed_at": null,
    "html_url": "https://github.com/acme/project/security/dependabot/1",
    "number": 1,
    "security_advisory": {
      "cve_id": "CVE-2025-1234",
      "cvss": {
        "score": 7.5,
        "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
      },
      "description": "Versions of lodash before 4.17.21 are vulnerable to Prototype Pollution.",
      "ghsa_id": "GHSA-xxxx-xxxx-xxxx",
      "identifiers": [
        {
          "type": "GHSA",
          "value": "GHSA-xxxx-xxxx-xxxx"
        },
        {
          "type": "CVE",
          "value": "CVE-2025-1234"
        }
      ],
      "published_at": "2025-01-01T00:00:00Z",
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1234"
        }
      ],
      "severity": "high",
      "summary": "Prototype Pollution in lodash",
      "updated_at": "2025-01-15T00:00:00Z",
      "vulnerabilities": [
        {
          "first_patched_version": {
            "identifier": "4.17.21"
          },
          "package": {
            "ecosystem": "npm",
            "name": "lodash"
          },
          "severity": "high",
          "vulnerable_version_range": "\u003c 4.17.21"
        }
      ],
      "withdrawn_at": null
    },
    "security_vulnerability": {
      "first_patched_version": {
        "identifier": "4.17.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "lodash"
      },
      "severity": "high",
      "vulnerable_version_range": "\u003c 4.17.21"
    },
    "state": "open",
    "updated_at": "2025-01-15T10:00:00Z",
    "url": "https://api.github.com/repos/acme/project/dependabot/alerts/1"
  },
  "organization": {
    "avatar_url": "https://avatars.githubusercontent.com/u/111111",
    "description": "Building great software",
    "id": 111111,
    "login": "acme"
  },
  "repository": {
    "default_branch": "main",
    "full_name": "acme/project",
    "html_url": "https://github.com/acme/project",
    "id": 987654321,
    "name": "project",
    "node_id": "MDEwOlJlcG9zaXRvcnk5ODc2NTQzMjE=",
    "owner": {
      "avatar_url": "https://avatars.githubusercontent.com/u/111111",
      "html_url": "https://github.com/acme",
      "id": 111111,
      "login": "acme",
      "type": "Organization"
    },
    "private": false,
    "visibility": "public"
  },
  "sender": {
    "avatar_url": "https://avatars.githubusercontent.com/in/29110",
    "id": 49699333,
    "login": "dependabot[bot]",
    "node_id": "MDM6Qm90NDk2OTkzMzM=",
    "type": "Bot"
  }
}
View all Github workflows →